af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 14:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Size

128KB
MD5

b8962096dc71a074edf181557bd05a70
SHA1

1f39d1e88e86a4233a8f1184e4e81994cfb6ee84
SHA256

af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e
SHA512

e6ef91a6c4a91751cf67a4ce0f6794a821fd9f0f268ca1a1717f343f77a49c204c6a4fa2f447d85149fae0efd15e4482383a7f676576200a6fb76b58c92208a5
SSDEEP

3072:7eU1UPAeWPQBjr9TfbJLXz/7Hjvr3TfbnDPLXz/7Hjvr3TfbnDPLXz/7Hjvr3TfL:7XRUBTfbJLXz/7Hjvr3TfbnDPLXz/7Hz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe

Executes dropped EXE 12 IoCs

pid	Process
4152	Mnfipekh.exe
4956	Mcbahlip.exe
4116	Njljefql.exe
768	Nacbfdao.exe
3376	Njogjfoj.exe
1232	Nafokcol.exe
1928	Njacpf32.exe
1404	Nqklmpdd.exe
2176	Njcpee32.exe
2328	Nbkhfc32.exe
3008	Ncldnkae.exe
4120	Nkcmohbg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1104	4120	WerFault.exe	95

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4152	4616	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe	83
PID 4616 wrote to memory of 4152	4616	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe	83
PID 4616 wrote to memory of 4152	4616	af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe	83
PID 4152 wrote to memory of 4956	4152	Mnfipekh.exe	84
PID 4152 wrote to memory of 4956	4152	Mnfipekh.exe	84
PID 4152 wrote to memory of 4956	4152	Mnfipekh.exe	84
PID 4956 wrote to memory of 4116	4956	Mcbahlip.exe	85
PID 4956 wrote to memory of 4116	4956	Mcbahlip.exe	85
PID 4956 wrote to memory of 4116	4956	Mcbahlip.exe	85
PID 4116 wrote to memory of 768	4116	Njljefql.exe	86
PID 4116 wrote to memory of 768	4116	Njljefql.exe	86
PID 4116 wrote to memory of 768	4116	Njljefql.exe	86
PID 768 wrote to memory of 3376	768	Nacbfdao.exe	87
PID 768 wrote to memory of 3376	768	Nacbfdao.exe	87
PID 768 wrote to memory of 3376	768	Nacbfdao.exe	87
PID 3376 wrote to memory of 1232	3376	Njogjfoj.exe	88
PID 3376 wrote to memory of 1232	3376	Njogjfoj.exe	88
PID 3376 wrote to memory of 1232	3376	Njogjfoj.exe	88
PID 1232 wrote to memory of 1928	1232	Nafokcol.exe	89
PID 1232 wrote to memory of 1928	1232	Nafokcol.exe	89
PID 1232 wrote to memory of 1928	1232	Nafokcol.exe	89
PID 1928 wrote to memory of 1404	1928	Njacpf32.exe	90
PID 1928 wrote to memory of 1404	1928	Njacpf32.exe	90
PID 1928 wrote to memory of 1404	1928	Njacpf32.exe	90
PID 1404 wrote to memory of 2176	1404	Nqklmpdd.exe	91
PID 1404 wrote to memory of 2176	1404	Nqklmpdd.exe	91
PID 1404 wrote to memory of 2176	1404	Nqklmpdd.exe	91
PID 2176 wrote to memory of 2328	2176	Njcpee32.exe	92
PID 2176 wrote to memory of 2328	2176	Njcpee32.exe	92
PID 2176 wrote to memory of 2328	2176	Njcpee32.exe	92
PID 2328 wrote to memory of 3008	2328	Nbkhfc32.exe	93
PID 2328 wrote to memory of 3008	2328	Nbkhfc32.exe	93
PID 2328 wrote to memory of 3008	2328	Nbkhfc32.exe	93
PID 3008 wrote to memory of 4120	3008	Ncldnkae.exe	95
PID 3008 wrote to memory of 4120	3008	Ncldnkae.exe	95
PID 3008 wrote to memory of 4120	3008	Ncldnkae.exe	95

C:\Users\Admin\AppData\Local\Temp\af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\af640cb9f928b92137ee66d59e12ca093d5f1c7db4777958b8c3bb65d215697e_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\SysWOW64\Mnfipekh.exe
  C:\Windows\system32\Mnfipekh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\Mcbahlip.exe
    C:\Windows\system32\Mcbahlip.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\Njljefql.exe
      C:\Windows\system32\Njljefql.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        13⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 412
        14⤵
        Program crash
        
        PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4120 -ip 4120
1⤵
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lfcbokki.dll

Filesize
7KB

MD5
9d148648b0512e9c636f66fc71ee37b8

SHA1
27e1ab1124b4f12a5b0d94c68102af332e773005

SHA256
fc7296677ca278b1ba842c941952b86f6ea6ee76b252009d3f7201bda7867260

SHA512
29f3327a60933cf3a41a0f0a8cbf305c4aa4ec447826c1ce2c1e8233b9b6101cd09df03b4ad664fafb38ace978aacc4125e10328f7e76097e15f5ce48d8955ab

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
128KB

MD5
2b297b3e56c3a9a705e70c42fd8fe001

SHA1
67d12bfd1d2d13c21df2ddb6ad14bf5937284f45

SHA256
70d301797515cf13dfe014a551159bc3b9e79e20c2632b476ed22fc7d79bd4fd

SHA512
8007574cb398d2919919555350f25f072e0deeeccf3174117f59e5cd96611eb95e2489b6ea602cbfe42b5d8ad3b0c60d0ce0f8b0b36bb983103c100553c014b6

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
128KB

MD5
45a3441ddacc66556a3f3ace520222ec

SHA1
f8dd2e3ae5d45df0e626ae95831d05df6e79aed3

SHA256
51e72f7e1cba357b313b71672acc8e0fd175ec6ea56681dcb0c75377f2f5d663

SHA512
9bc56fff576133cd79ebe02977d01e8e6f15a7fdf252525a54ad45e05d3d8cb9f3056475929b23d6a73375b4f9a31b2a01b9836c72c9ac88176e684b70880a6f

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
128KB

MD5
0108098760c4a65d0bbb483689151ac3

SHA1
2167ef15b590592fe8f5fb3f902bf4dcd4f3ce1f

SHA256
4aea3db985270099e9b7bcb6d289341c8bb89670e71563e22b96b92a9b88bb9d

SHA512
cbb4569476eabdf881342108e748d0895a2737c3101a228138f1e1717fa8ef7263790663ec351cdbc0e2773d2f0d8548a6a130e73aabd0d96e674d19eb28f80e

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
128KB

MD5
474920dd35c2b9851cd4740c64ca0482

SHA1
5a9aec8b8ef62d5fc594332792dc4225733073cd

SHA256
017347c68405593e2430a681075d66d09362a0cad2b869f96c2ec0360de14f70

SHA512
3b8748d0a3f75dc2a116fc234c44d51170a20e45ef1e578f9180b99db69dba51765ee57c22277bbb6fedca3f5b3c38bae307e124430946ec8ebacdffc91ff57b

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
128KB

MD5
6ce7f0a05fc53428338c6ed69fab1793

SHA1
740ea055a2d54ff7c96dece5c74425909f76ab15

SHA256
773038b1a3e9f387d29553a6aa1c91d3088f8b4d70a6bd4a8c4547284a0535ea

SHA512
ae520464f8d8835c08fd655356a6ac6b2356fb0cecf3b2a34cf1c288939e9ce52380aa99b09aeddeadf886b8badab469717166f1646504523d89c2748ab27ab3

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
128KB

MD5
e5f1acde29cae9f124028d77cca9cf16

SHA1
1e633e35a03490f11bbc3a15905b339667b8c1e0

SHA256
2c2f459ec4679e6f9fdad5401d9e957a7436c4ef4e6d512a367715a8ceda1d3b

SHA512
e15949716f11b91c15acf22cc0d6b258eb1ee18b68ba16eb7534fffa6676165a480548ab8bc4d64e3ff9f634be7e1abb2a38dc1b6f95891c911ed2640f2a3ee7

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
128KB

MD5
daa440b0f29470ea3fe9a33822270be3

SHA1
03f22a9ff7edb63cc592c1d9c3a524c381c20913

SHA256
6ab8759740ff5c1e476b6359151618c91e77f196c09eb08f0be2fcf675c8235c

SHA512
8a339a39a1581f1bcec732d7ba4e7256b4849c538dfa266dd98d0d1fafb91eb2c36fb90234d881fdcebf7cad4bec711febb53fb3fc4a68d130022d364bf7fe56

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
128KB

MD5
8d263587edef1fb719039452ebafed22

SHA1
af358daf1f60d005f42a96ca13c8d654d9cd5805

SHA256
8e58d9e766a02036aa14a88d0738e1f62239a774c12cbb6ff1799fd60debfb49

SHA512
8dd9fd576bf5d739afc91f36dfdd09c538c6110932d831aa4f73a4103d341658d0ec3ba84621c02e35fc47bb32e971ac0a801eae3878bd0771831ad2aedee664

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
128KB

MD5
d6cf520427074b2bc118a19426ab6fb0

SHA1
e82c6d1cc0a66427a0d5cc218ed6194af9158d40

SHA256
71c8370792f6aa4433257304019a697f52a242d47e24005624fd4438878ed152

SHA512
176d734396b5ed8e015407d3eee0972b71e53cdfb904b207480f4aa3001e1052124b6933998f95056708bb46da08b359ff32ef35025594bb63bd99c8b36e69bc

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
128KB

MD5
88ea22eda229d2bfa06269fe9f8df0ab

SHA1
5b30c1bd5e999dc4b329eb0a43e2e929523870d0

SHA256
678a926d08cd109304058b9552b70e6f8ee95360a899a5b13b40e73c125894d5

SHA512
546064fc92ee91180346d4494bc66990ed5df51f8e6cd4cb7c5c44bcb853d0f1884331aef5bd5299877d6d7240eb1b306e585ba092b1835c2590f56773fa86e7

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
f446672850b52aa3222b864647fe8331

SHA1
3a2991ec02351e41a9af9d940321c089d5468066

SHA256
bebdfd8e0f6fa79700bd1afc3b5aaeb42685a5cb3a0245b64bf2d3a57080f68b

SHA512
4e6fda4e4e940affe2a049d7c08b49d6ff6abc63b078ae620221c84ae630c6a13a1834c02c58d13392b57098d3d4116e0b331e08f54b4dcd14c8a606b815de62

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
128KB

MD5
58eef8a4030686f17998468799894d9d

SHA1
232b5facbdb719823b60cae03dcb780d7c31b0a0

SHA256
130da13a01871eff3549a861ebd0555c30550861e1f38a01341658a411b9c47f

SHA512
577c352c2ec75bf3a02a7f8dfeec83d79dd08ef54605e7c66691dfa9d8aa5834089149a5b69be34d7a8b458181be9dba21e846e27461c3a89823e29fce97ef8f

Download Submit
memory/768-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/768-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1232-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1232-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1404-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1404-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2328-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3376-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4116-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4116-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4120-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4120-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4152-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4152-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4956-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads